S1QL CHEATSHEET FOR SECURITY ANALYSIS

QUERY SUBJECT SYNTAX QUERY SUBJECT SYNTAX HOST/AGENT INFO PROCESS TREE Hostname AgentName Process ID PID OS AgentOS PID of the parent process ParentPID Version of agent AgentVersion Parent process ParentProcessName Domain name DNSRequest Time parent process started to run ParentProcessStartTime Site token SiteId Unique ID of parent process ParentProcessUniqueKey Site name SiteName Process command line ProcessCmd Display name of process ProcessDisplayName FILE/REGISTRY INTEGRITY Generated ID of the group of processes, from first parent ProcessGroupId File ID FileID to last generation (SentinelOne Patent) File name FileFullName Pathname of running process ProcessImagePath Date and time of file creation FileCreatedAt SHA1 signature of running process ProcessImageSha1Hash MD5 FileMD5 String: SYSTEM (operating system processes), HIGH ProcessIntegrityLevel (administrators), MEDIUM (non-administrators), LOW Date and time of file change FileModifyAt (temporary Internet files), UNTRUSTED SHA1 signature FileSHA1 Process Name ProcessName SHA256 signature FileSHA256 ID of the terminal session of a process ProcessSessionId SHA1 of file before it was changed OldFileSHA1 Process start time ProcessStartTime Name of file before rename OldFileName String: SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN ProcessSubSystem Identity of file signer Signer Unique ID of process ProcessUniqueKey Registry key unique ID RegistryID PID after relinked Rpid Full path location of the Registry Key entry RegistryPath Thread ID Tid ID of all objects associated with a detection TrueContext NETWORK DATA Username User String: GET, POST, PUT, DELETE NetworkMethod URL NetworkUrl SCHEDULED TASKS DNS response data DNSResponse Name of a scheduled task TaskName IP address of the destination DstIP Full path location of a scheduled task TaskPath Port number of destination DstPort IP address of traffic source SrcIP Port number of traffic source SrcPort

www.SentinelOne.com | [email protected] | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043 S1QL CHEATSHEET FOR SECURITY ANALYSIS

QUERY SUBJECT SYNTAX QUERY SUBJECT SYNTAX HOST/AGENT INFO PROCESS TREE Hostname AgentName Process ID PID OS AgentOS PID of the parent process ParentPID Version of agent AgentVersion Parent process ParentProcessName Domain name DNSRequest Time parent process started to run ParentProcessStartTime Site token SiteId Unique ID of parent process ParentProcessUniqueKey Site name SiteName Process command line ProcessCmd Display name of process ProcessDisplayName FILE/REGISTRY INTEGRITY Generated ID of the group of processes, from first parent ProcessGroupId File ID FileID to last generation (SentinelOne Patent) File name FileFullName Pathname of running process ProcessImagePath Date and time of file creation FileCreatedAt SHA1 signature of running process ProcessImageSha1Hash MD5 FileMD5 String: SYSTEM (operating system processes), HIGH ProcessIntegrityLevel (administrators), MEDIUM (non-administrators), LOW Date and time of file change FileModifyAt (temporary Internet files), UNTRUSTED SHA1 signature FileSHA1 Process Name ProcessName SHA256 signature FileSHA256 ID of the terminal session of a process ProcessSessionId SHA1 of file before it was changed OldFileSHA1 Process start time ProcessStartTime Name of file before rename OldFileName String: SYS_WIN32, SYS_WSL, SUBSYSTEM_UNKNOWN ProcessSubSystem Identity of file signer Signer Unique ID of process ProcessUniqueKey Registry key unique ID RegistryID PID after relinked Rpid Full path location of the Registry Key entry RegistryPath Thread ID Tid ID of all objects associated with a detection TrueContext NETWORK DATA Username User String: GET, POST, PUT, DELETE NetworkMethod URL NetworkUrl SCHEDULED TASKS DNS response data DNSResponse Name of a scheduled task TaskName IP address of the destination DstIP Full path location of a scheduled task TaskPath Port number of destination DstPort IP address of traffic source SrcIP Port number of traffic source SrcPort

www.SentinelOne.com | [email protected] | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043 WATCHLIST NAME QUERY WATCHLIST NAME QUERY WATCHLIST NAME QUERY ProcessCmd RegExp “net\s+user(?:(?!\s+/add) Windows 10 Get WMIC Group List Net User Add User ProcessCmd RegExp “wmic group list” (?:.|\n))*\s+/add” Network Adaptor ProcessCmd RegExp “wmic nic” on Local System Details processCmd = “REG ADD HKLM\SYSTEM\ WMIC List built in ProcessCmd RegExp “wmic sysaccount list” Enable SMBv1 CurrentControlSet\Services\LanmanServer\ Execute File in processCmd RegExp “/FILE” AND ProcessCmd System Accounts Parameters /v SMB1 /t REG_DWORD /d 1 /f” Appdata folder RegExp “Appdata” Reg Query - last 10 ProcessCmd RegExp “RecentDocs” AND Unusual Schedule ProcessCmd RegExp “schtasks” AND Nslookup ProcessCmd RegExp “nslookup” files accessed or ProcessCmd RegExp “REG QUERY” AND Task Created processName != “Manages scheduled tasks” executed by explorer ProcessCmd RegExp “explorer” ProcessCmd RegExp “net\s+user(?:(?!\s+/ Powershell with Net DstIP Is Not Empty AND ProcessName Net User Delete User ProcessCmd RegExp “Runonce” AND delete)(?:.|\n))*\s+/delete” Reg Query - RunOnce connections RegExp “powershell” ProcessCmd RegExp “REG QUERY” ProcessCmd RegExp “net\s+user(?:(?!\s+/ Net User Domain ( ProcessName RegExp “windows command domain)(?:.|\n))*\s+/domain” Reg Query - Check ProcessCmd RegExp “Reg Query” AND Shell Process processor” OR ProcessName RegExp Patterns for Virtual ProcessCmd RegExp “Disk” AND ProcessCmd Creating File “powershell” ) AND FileModifyAt > Add user to AD ProcessCmd Contains “dsadd user” Machines RegExp “Enum” “Mar 26, 2017 00:00:39” Query Group Policy Powershell add ProcessCmd RegExp “powershell.exe New- ProcessCmd RegExp “gpresult” ( ProcessName RegExp “windows command local user LocalUser” RSOP Data processor” OR ProcessName RegExp Shell Process Modify “powershell” ) AND ( FileModifyAt > Powershell upload or ProcessCmd RegExp “(New-Object Net. System Info - windows ProcessCmd RegExp “systeminfo” or File “Mar 26, 2017 00:00:10” OR FileCreatedAt > download methods Webclient)” ProcessCmd RegExp “systeminfo” “Mar 26, 2017 00:00:31” ) ProcessCmd RegExp “setspn” AND OR ProcessCmd RegExp “ver >” OR Suspicious - List all ProcessCmd RegExp “-t” AND ProcessCmd System Info and ProcessCmd RegExp “type\s+%APPDATA%” Registry Alteration ProcessCmd RegExp “reg\s+add” OR SPNs in a Domain via Command line ProcessCmd RegExp “reg\s+del” RegExp “-q */*” Network data OR ProcessCmd RegExp “ipconfig” OR gathering ProcessCmd RegExp “net\s+view” OR ProcessCmd RegExp “vssadmin.exe list processImagePath = “C:\Windows\System32\ list vssadmin shadows ProcessCmd RegExp “arp -a” OR ProcessCmd svchost.exe” AND User != “NT AUTHORITY\ shadows” svchost.exe running in RegExp “netstat” SYSTEM” AND User != “NT AUTHORITY\LOCAL a unusual user context Add user or Query ProcessCmd RegExp “net localgroup SERVICE” AND User != “NT AUTHORITY\ WMIC Process local admin group administrators” NETWORK SERVICE” Get - Process data ProcessCmd RegExp “wmic\s+process\s+get” Change firewall profile and sub commands Powershell runnning ProcessName RegExp “powershell” AND User ProcessCmd RegExp “netsh advfirewall” settings WMIC qfe - Gather as system user RegExp “SYSTEM” ProcessCmd RegExp “wmic qfe” Clear Windows Event Windows Patch Data ParentProcessName = “Windows PowerShell” ProcessCmd RegExp “wevtutil cl system” OR Powershell Scheduled Logs Powershell or AND ProcessName = “Task Scheduler ProcessCmd RegExp “Clear-EventLog” ProcessName RegExp “powershell” AND Tasks Created Wevtutil Configuration Tool” (ProcessCmd RegExp “Invoke-Expression” OR ProcessCmd RegExp “netsh firewall” AND Powershell suspicious ProcessCmd RegExp “-encodedcommand” OR FileCreatedAt > “Apr 2, 2017 00:00:03” AND Netsh disable firewall Executable Created ProcessCmd RegExp “disable” commands ProcessCmd RegExp “hidden” OR ProcessCmd ProcessName RegExp “.exe” RegExp “write-host” OR ProcessCmd RegExp ProcessName RegExp “Host Process for Query logged in Users ProcessCmd RegExp “quser” “Get-NetIPConfiguration”) Windows Services” AND ParentProcessName Suspicious Parent Qwinsta - Display != “Host Process for Windows Services” echo command ProcessCmd RegExp “echo” Process svchost.exe information Terminal ProcessCmd RegExp “qwinsta” AND ParentProcessName != “Services and Sessions regsvr32 and scrobj.dll ProcessCmd RegExp “regsvr32” AND Controller app” register-unregister dll ProcessCmd RegExp “scrobj.dll” Current Running ProcessCmd RegExp “tasklist” ParentProcessName = “Insert Vulnerable Processes regsvr32 suspicious processName = “Microsoft(C) Register Server” Application name from Applications Tab” AND Vulnerable App downloads AND DstIP Is Not Empty ( ProcessName RegExp “Windows Command Net User - Query launching shell ProcessCmd RegExp “net user” Processor” OR ProcessName RegExp a User regsvr32 suspicious processName = “Microsoft(C) Register Server” “Powershell” ) file modification AND FileModifyAt > “Mar 1, 2019 00:00:45” Query Network Shares ProcessCmd RegExp “net share” ParentProcessName RegExp “excel” AND ProcessCmd RegExp “regsvr32” AND Excel Running Shell (ProcessName RegExp “sh” OR ProcessName Query Account & (RegistryPath Contains “machine\software\ or Python ProcessCmd RegExp “net accounts” regsvr32 Persistence RegExp “python”) Password Policy classes” OR ProcessCmd RegExp “schtasks\ s+/create”) Whoami ProcessCmd RegExp “whoami” Net Config - Query Workstation Current ProcessCmd RegExp “net config workstation” ProcessCmd RegExp “bitsadmin” AND Settings (ProcessCmd RegExp “transfer” OR Powershell Get processCmd RegExp “powershell\.exe\ Bitsadmin suspicious ProcessCmd RegExp “download” OR Clipboard Entry s+echo\s+Get\-Process\s+\|\s+clip” commands Query AD ProcessCmd RegExp “dsquery” ProcessCmd RegExp “.ps1” OR ProcessCmd Powershell Get processCmd RegExp “powershell.exe echo RegExp “powershell”) Running Processes Get-Process” ProcessCmd RegExp “wmic useraccount get” WMIC user OR ProcessCmd RegExp “wmic useraccount ProcessCmd RegExp “reg add» AND account list Powershell Search processCmd Contains “powershell list” Registry Persistence (ProcessCmd RegExp “Run” OR ProcessCmd for Doc Files Get-ChildItem -Recurse -Include *.doc” RegExp “Null”) WMIC NT Domain ProcessCmd RegExp “wmic ntdomain” Find string processCmd Contains “findstr” Object Query ProcessCmd RegExp “copy” OR ProcessCmd Copy commands RegExp “xcopy”

www.SentinelOne.com | [email protected] | +1-855-868-3733 | 605 Fairchild Dr, Mountain View, CA 94043